DET0493: Detect Abuse of Inter-Process Communication (T1559)
DET0493 is a detection strategy for abuse of Inter-Process Communication (T1559), an execution behavior where adversaries may use normal process-to-process...
Analyst context for executives and security teams
DET0493 is a detection strategy for abuse of Inter-Process Communication (T1559), an execution behavior where adversaries may use normal process-to-process communication mechanisms to run code or commands locally. The business issue is not the IPC mechanism itself—IPC is common and often necessary—but whether the organization can distinguish expected application behavior from suspicious execution paths across Linux, macOS, and Windows environments.
Executive priority
Treat this as a control-validation topic for execution visibility and incident response readiness. Leaders should ask whether SOC teams can investigate unusual local process communication that leads to command or code execution, and whether telemetry is retained across endpoint platforms where T1559 applies. Because the ATT&CK object provides no official detection logic, this should be prioritized as an evidence and coverage review rather than assumed detection coverage.
Technical view
This detection strategy maps to T1559, Inter-Process Communication, under the execution tactic, with related platforms Linux, macOS, and Windows. SOC and detection engineering teams should validate visibility into process creation, parent-child process relationships, IPC-related activity where available, command execution following IPC interaction, and cross-process behavior that deviates from known baselines. Detection should focus on abnormal use patterns and execution outcomes, not on IPC existence alone, because IPC is a normal operating system and application function.
Likely telemetry
- Endpoint process creation and termination events
- Parent-child process lineage
- Command-line arguments and executed binaries or scripts
- Cross-process interaction or IPC-related telemetry where available
- User, session, and host context for processes involved
Detection direction
- Validate that telemetry exists for Linux, macOS, and Windows systems in scope, since the related ATT&CK technique applies to those platforms.
- Correlate IPC-related behavior with subsequent local command or code execution rather than alerting on IPC use alone.
- Tune detections around unusual process ancestry, unexpected child processes, uncommon command lines, or execution by applications that do not normally launch interpreters, shells, or administrative tools.
- Account for false positives from legitimate applications, service managers, automation tools, and desktop software that rely heavily on IPC.
- Use incident response reviews to determine whether current logs can reconstruct which process initiated execution and under what user/session context.
Mitigation priorities
- Start with visibility: confirm endpoint logging and retention can support investigation of local execution chains involving IPC-related behavior.
- Establish baselines for business-critical applications and administrative tools that commonly use IPC.
- Reduce unnecessary execution paths through least privilege, application control, and hardening of hosts where feasible.
- Ensure SOC playbooks include triage questions for suspicious process lineage, user context, and whether IPC-related activity preceded execution.
- Use detection testing or purple-team validation to confirm coverage without assuming that generic process monitoring is sufficient.
Analyst notes and limits
The supplied ATT&CK detection strategy object is sparse: it has no official description, no official detection text, and no platforms or tactics directly specified. The practical guidance here is derived from the explicit relationship that DET0493 detects T1559, Inter-Process Communication, whose related tactic is execution and whose related platforms are Linux, macOS, and Windows.
This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local operating system telemetry, EDR capabilities, application baselines, and retention practices are required to determine whether an organization can actually detect this behavior.
Detect Abuse of Inter-Process Communication (T1559)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559 | Inter-Process Communication | This object detects Inter-Process Communication. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 233b5ccb681e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0493Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.